AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
97eff73b71
v8/test/mjsunit/regress/regress-crbug-751109.js
Benedikt Meurer 71012480b7 [runtime] Properly forward the "interesting symbol" bit. 
This fixes a corner case of rewriting the transition trees, where the
"interesting symbols" bit was not properly forwarded.

Drive-by-fix: Introduce additional checking in Map::ConnectTransition to
make it easier for clusterfuzz to detect cases we might have missed.

R=mstarzinger@chromium.org

Bug: chromium:751109
Change-Id: I3f1a1e6232db9b3694064b3d4e9f37255b018acc
Reviewed-on: https://chromium-review.googlesource.com/597669
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47075}
2017-08-02 11:08:38 +00:00

8 lines
222 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap
(new constructor)[0] = null;
Reference in New Issue View Git Blame Copy Permalink